Take Control of Your Medical Information: Personal Health Records and Your Privacy

If you established care with a medical office tomorrow,
would you be able to give your new doctor a complete copy of your medical
records, lab tests and a list of your prescription drugs? If you're like most
Americans, your health information is split among your various health care
providers. For example, you may have records at a hospital, a physician's
office, your dentist, a pharmacy, and an optician's dispensary.

Since each health care provider maintains its own file on
you, it can be challenging to get control of your medical records. However, HIPAA's
right to access[1]
coupled with the emerging market for the Personal
Health Record (PHR)[2] is changing that.

The Privacy Rights Clearinghouse (PRC) recently published a
consumer guide on PHRs that discusses privacy and security considerations as
well as both California and federal law. The guide, Personal Health Records and Privacy[3],
is part of the PRC’s series on California
Medical Privacy[4]. Whether or not you live in California, you will find the
tips in this guide to be useful.

Here are some of the highlights:

You have a right to access
your medical records.

Under the Health Insurance Portability
and Accountability Act (HIPAA)[5], the federal medical privacy law, you have a
right to obtain copies of the medical records maintained by your health care
providers. This means you can gather information from multiple sources and keep
your medical history as a single record. See PRC's sample
letter[6] to request your records in writing.

A PHR allows you to keep your own record of your medical
history, and is usually an electronic system or software that provides a centralized
storage space for your health information. A PHR may also support options such
as secure email with your physicians and links to medical informational
websites and archives.

PHRs have the potential to help individuals become better
informed about their medical history and more engaged in their own healthcare. However,
as with all types of electronic records, PHRs do present certain privacy and
security concerns.

Many PHRs are not
covered under HIPAA.

A key question when considering the use of a PHR is whether
it is covered by HIPAA. Only PHRs offered by a "covered entity[7]"
are subject to HIPAA. Covered entities include health care providers, health
plans and health care clearinghouses. All other PHRs are not subject to HIPAA. While
some commercial PHRs may advertise themselves as “HIPAA-compliant,” the only
privacy protections they offer are those in their own privacy notices and policies,
which they can change at any time.

PHRs for Californians may
be covered by the Confidentiality
of Medical Information Act[8] (CMIA), depending upon the interpretation of California law. Until the law is tested in court, it may not
be completely clear whether PHR vendors are subject to the CMIA's information
privacy requirements.

While the PHR's security may be somewhat beyond your
control, you should be notified if your data has been breached – under both federal and California
law.

HIPAA-covered PHRs have more stringent security and privacy
requirements. Until stronger protections are in place for all PHRs, we recommend choosing a HIPAA-covered PHR; however they
may limit your ability to centralize records from multiple health providers.

If you are considering using a commercial PHR, read its "notice
of privacy practices" and privacy policy first. A notice of privacy
practices applies specifically to the PHR product and the information collected
in it; a privacy policy explains the company’s overall privacy and security
policies.

The following are some questions you should keep in mind
when reading a PHR's privacy notice and policy:

How will your information's security be
safeguarded? Will it be encrypted when it is stored and transmitted? Does the
vendor store your medical information in the cloud and how secure is that
storage?

Is the PHR data stored in the U.S.? If it is
not, it will not be protected by any U.S. laws.

What does the vendor say about how it may use or
disclose your information? Does it mention disclosure of de-identified or
aggregate data (an indication that it is selling the data)?

Who will have access to your medical
information? What control do you have over access to the information in your
PHR? Will your information be sold to or shared with third parties, such as
marketers? Can you find out who accessed you medical information?

Can you cancel the PHR? What happens to the
medical information that is in the PHR if you do cancel? Does the vendor keep the
data and continue sharing it or does the vendor destroy all the data that is in
your PHR?

How does the PHR generate revenue? Keep in mind
that they are businesses and that monetizing your medical information may be
part of their business plan.

Do you have any ability to delete information
that has already been sent to providers from the PHR?

What support does the vendor offer for the PHR? How
do you contact customer service and what is the response time?

Not comfortable with electronic PHRs? You can still
accomplish the same goal by consolidating printouts or paper copies of your
medical records and keeping them in a secure place.